-
Notifications
You must be signed in to change notification settings - Fork 5
/
nextcloud.yml
482 lines (449 loc) · 19.5 KB
/
nextcloud.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
---
- hosts: homelab
vars:
application: nextcloud
docker_network: "{{ networks.pub }}"
tasks:
- name: Create config folder
ansible.builtin.file:
path: "{{ config_directory }}"
state: directory
owner: "{{ common_user }}"
group: "{{ common_group }}"
mode: "0771"
- name: Create postgres container
ansible.builtin.import_role:
name: postgres
vars:
postgres_version: 16
postgres_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34393861343432623031643033656336643264646638626632633335393862643965303332643463
3839396236373233633036643730646366373536346130360a656461663033396130623435616135
37613265663936396433306166373039333530623863326135656236323661396537386265333038
6539663361336635310a333437613932363937383838366162623031323265396232396235666336
65373662303434363834656234626237336438663531383232313034356234396462
- name: Create redis container
ansible.builtin.include_role:
name: redis
vars:
redis_version: 7
redis_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35383639333265303734343930383630303464313430353465306531363339646264663934346564
3937383165666563386238313663653931323839633266660a633032323964613734356462306434
36636530383134373035316266616432383330653830373237646233633865333133363964656662
3231366665366137380a323932633634396132376331363030613835616435626332303732303731
39396138663536663432663664386264386333623437616237643630663831353533
- name: Create nextcloud container
ansible.builtin.include_role:
name: docker_container
vars:
image: nextcloud:30.0.2
volumes:
- "{{ config_directory }}/app:/var/www/html"
env:
POSTGRES_DB: "{{ _postgres_database }}"
POSTGRES_USER: "{{ _postgres_username }}"
POSTGRES_PASSWORD: "{{ _postgres_password }}"
POSTGRES_HOST: "{{ _postgres_hostname }}"
NEXTCLOUD_ADMIN_USER: "{{ common_user }}"
NEXTCLOUD_ADMIN_PASSWORD: !vault |
$ANSIBLE_VAULT;1.1;AES256
34373162656662326631363762383431623164666236666434306665316263303035316336303163
6665626235353661313363633732383734343237356165640a333966663962356561346362366635
32393133663937386338343839346662623631306333653833356634393833326465613932353931
3138613230353462620a383130653733326661386336393737643233396464353061386431316264
64663865643961313431333430373362353366323836386238623831646139356537
# these values need to be updated manually afterwards in config.php
NEXTCLOUD_TRUSTED_DOMAINS: "{{ application }} {{ application }}.{{ docker_network.name }} {{ application }}.{{ common_local_tld }} {{ application }}.{{ common_tld }}"
TRUSTED_PROXIES: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] | string }} {{ docker_network.subnet }}"
OVERWRITEPROTOCOL: "https"
REDIS_HOST: "{{ _redis_hostname }}"
REDIS_HOST_PORT: "{{ _redis_port | string }}"
REDIS_HOST_PASSWORD: "{{ _redis_password }}"
SMTP_NAME: "{{ common_email_username }}"
SMTP_PASSWORD: "{{ common_email_password }}"
SMTP_PORT: "{{ common_email_port | string }}"
SMTP_HOST: "{{ common_email_server }}"
SMTP_SECURE: "tls"
PHP_MEMORY_LIMIT: "10000M"
PHP_UPLOAD_LIMIT: "10000M"
APACHE_BODY_LIMIT: "0"
homepage:
group: Favourites
weight: 100
description: "Productivity platform"
widget:
username: !vault |
$ANSIBLE_VAULT;1.1;AES256
37326331633339343636663939663063346364616133366566343363356130656238336661656434
3063613231636130343066303438356639333565316530350a633565363836653264303735626334
30653637346238623934386635353430303131666536396262393137316462663930613565373939
3064646266383139390a613438326265373062333961326266643534326436616231653363376536
6366
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31313034323664653366313533393437656236303163616239623137343364316130306630313564
3039633230373231333039613838373330303635656638360a636530313139346537653032343932
39306563666533333931646532336466333531356238663231386665353237333939336637653135
6130613464383439360a613537313031396335623433363436326639623863353463616662643930
35363963393037623362353633333536383363613065666130663236643134316234
fields: '["numshares"]'
blackbox:
path: /status.php
traefik:
- port: 80
middlewares:
- "{{ application }}-dav"
labels:
# 33 is www-data
'{
"traefik.http.middlewares.{{ application }}-dav.redirectregex.permanent": "true",
"traefik.http.middlewares.{{ application }}-dav.redirectregex.regex": "https://(.*)/.well-known/(card|cal)dav",
"traefik.http.middlewares.{{ application }}-dav.redirectregex.replacement": "https://${1}/remote.php/dav/",
"chadburn.enabled": "true",
"chadburn.job-exec.{{ application }}-cron.user": "33",
"chadburn.job-exec.{{ application }}-cron.schedule": "@every 5m",
"chadburn.job-exec.{{ application }}-cron.command": "/usr/local/bin/php -f cron.php",
"chadburn.job-exec.{{ application }}-cron.tty": "false",
"chadburn.job-exec.{{ application }}-cron.no-overlap": "true"
}'
- name: Install onlyoffice app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ app:install onlyoffice"
register: _command_result
failed_when: "'Could not download app' in _command_result.stdout"
changed_when: "'already installed' not in _command_result.stdout"
retries: 3
delay: 2
- name: Create onlyoffice container
ansible.builtin.include_role:
name: docker_container
vars:
name: "{{ application }}-onlyoffice"
image: onlyoffice/documentserver:8.2.0
volumes:
- "{{ config_directory }}/onlyoffice/logs:/var/log/onlyoffice"
- "{{ config_directory }}/onlyoffice/data:/var/www/onlyoffice/Data"
- "{{ config_directory }}/onlyoffice/lib:/var/lib/onlyoffice"
- "{{ config_directory }}/onlyoffice/rabbitmq:/var/lib/rabbitmq"
- "{{ config_directory }}/onlyoffice/redis:/var/lib/redis"
- "{{ config_directory }}/onlyoffice/db:/var/lib/postgresql"
env:
JWT_ENABLED: "true"
JWT_SECRET: &onlyoffice_jwt_secret !vault |
$ANSIBLE_VAULT;1.1;AES256
62613932646635633462646366396438636165303466366338363166323132613938336334363633
6465333735656137653439313233636566636330363461380a616231323438333336356233386561
36336638383239666262346166393839396466353833306138386636333130333131313966313666
6361663336343432610a333138353763353731393061613036336433613733626230396234356330
33356564396233646537353237663533646133386534663166633664343966306464
USE_UNAUTHORIZED_STORAGE: "true"
ALLOW_META_IP_ADDRESS: "tru"
ALLOW_PRIVATE_IP_ADDRESS: "true"
traefik:
- port: 80
rule: Host(`onlyoffice.{{ common_tld }}`)
middlewares:
- "{{ application }}-onlyoffice-sslheaders"
labels:
'{
"traefik.http.middlewares.{{ application }}-onlyoffice-sslheaders.headers.customrequestheaders.X-Forwarded-Proto": "https"
}'
- name: Configure onlyoffice app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ config:app:set onlyoffice {{ item.name }} --value={{ item.value }}"
register: _command_result
failed_when:
- "'for app onlyoffice set to' not in _command_result.stdout"
- "'Config value were not updated' not in _command_result.stdout"
changed_when: "'is now set to' in _command_result.stdout"
retries: 3
delay: 2
loop:
-
name: jwt_secret
value: *onlyoffice_jwt_secret
-
name: DocumentServerUrl
value: "https://onlyoffice.{{ common_tld }}/"
-
name: DocumentServerInternalUrl
value: "http://{{ application }}-onlyoffice.{{ docker_network.name }}/"
-
name: StorageUrl
value: "http://{{ application }}.{{ docker_network.name }}/"
-
name: defFormats
value: '{\"csv\":\"true\",\"doc\":\"true\",\"docm\":\"true\",\"docx\":\"true\",\"docxf\":\"true\",\"oform\":\"true\",\"dotx\":\"true\",\"epub\":\"false\",\"html\":\"false\",\"odp\":\"true\",\"ods\":\"true\",\"odt\":\"true\",\"otp\":\"true\",\"ots\":\"true\",\"ott\":\"true\",\"pdf\":\"false\",\"potm\":\"true\",\"potx\":\"true\",\"ppsm\":\"true\",\"ppsx\":\"true\",\"ppt\":\"true\",\"pptm\":\"true\",\"pptx\":\"true\",\"rtf\":\"true\",\"txt\":\"true\",\"xls\":\"true\",\"xlsm\":\"true\",\"xlsx\":\"true\",\"xltm\":\"true\",\"xltx\":\"true\"}'
-
name: customizationChat
value: false
-
name: customizationFeedback
value: false
-
name: customizationHelp
value: false
-
name: customizationToolbarNoTabs
value: false
-
name: customizationTheme
value: "theme-light"
- name: Create collabora container
ansible.builtin.include_role:
name: docker_container
vars:
name: "{{ application }}-collabora"
image: collabora/code:24.04.9.2.1
capabilities:
- MKNOD
env:
aliasgroup1: "https://{{ application }}.{{ common_tld }}:443"
server_name: "collabora.{{ common_tld }}"
dictionaries: "en_GB en_US"
extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
traefik:
- port: 9980
rule: Host(`collabora.{{ common_tld }}`)
# - name: Install nextcloud office app
# community.docker.docker_container_exec:
# container: "{{ application }}"
# user: www-data
# command: "php occ app:install richdocuments"
# register: _command_result
# failed_when: "'Could not download app' in _command_result.stdout"
# changed_when: "'already installed' not in _command_result.stdout"
# retries: 3
# delay: 2
#
# - name: Configure nextcloud office app
# community.docker.docker_container_exec:
# container: "{{ application }}"
# user: www-data
# command: "php occ config:app:set richdocuments {{ item.name }} --value={{ item.value }}"
# register: _command_result
# failed_when: "'for app richdocuments set to' not in _command_result.stdout"
# changed_when: false
# retries: 3
# delay: 2
# loop:
# -
# name: public_wopi_url
# value: "https://collabora.{{ common_tld }}"
# -
# name: wopi_url
# value: "https://collabora.{{ common_tld }}:443"
# -
# name: wopi_allowlist
# value: "192.168.0.0/16"
- name: Create imaginary container
ansible.builtin.include_role:
name: docker_container
vars:
name: "{{ application }}-imaginary"
image: h2non/imaginary:1.2.4
command: -enable-url-source
- name: Add imaginary url to config
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ config:system:set preview_imaginary_url --value=http://{{ application }}-imaginary.{{ docker_network.name }}:9000"
register: _command_result
failed_when: "'set to string' not in _command_result.stdout"
changed_when: false
until: _command_result is success
retries: 3
delay: 2
- name: Enable preview providers
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ config:system:set enabledPreviewProviders {{ ansible_loop.index0 }} --value={{ item }}"
register: _command_result
failed_when: "'set to string' not in _command_result.stdout"
changed_when: false
until: _command_result is success
retries: 3
delay: 2
loop_control:
extended: true
loop:
- 'OC\\Preview\\MP3'
- 'OC\\Preview\\TXT'
- 'OC\\Preview\\MarkDown'
- 'OC\\Preview\\OpenDocument'
- 'OC\\Preview\\Krita'
# imaginary
- 'OC\\Preview\\Imaginary'
# disabled by default
- 'OC\\Preview\\PDF'
- 'OC\\Preview\\SVG'
- 'OC\\Preview\\Font'
- 'OC\\Preview\\TIFF'
- 'OC\\Preview\\Movie'
- name: Install notify_push app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ app:install notify_push"
register: _command_result
failed_when: "'Could not download app' in _command_result.stdout"
changed_when: "'already installed' not in _command_result.stdout"
retries: 3
delay: 2
- name: Create nextcloud notify-push container
ansible.builtin.include_role:
name: docker_container
vars:
name: "{{ application }}-notify-push"
image: nextcloud:30.0.2
entrypoint:
- /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push
- /var/www/html/config/config.php
env:
NEXTCLOUD_URL: "http://{{ application }}.{{ docker_network.name }}" # don't go through the proxy to contact the nextcloud server
volumes:
- "{{ config_directory }}/app:/var/www/html:ro"
traefik:
- port: 7867
rule: Host(`{{ application }}.{{ common_tld }}`) && PathPrefix(`/push`)
middlewares:
- "{{ application }}-notify-push-stripprefix"
blackbox:
path: /push/test/remote/1.2.3.4
labels:
'{
"traefik.http.middlewares.{{ application }}-notify-push-stripprefix.stripprefix.prefixes": "/push"
}'
- name: Configure notify_push
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ notify_push:setup https://{{ application }}.{{ common_tld }}/push"
register: _command_result
failed_when: "'configuration saved' not in _command_result.stdout"
changed_when: false
until: _command_result is success
retries: 3
delay: 2
- name: Create elasticsearch container
ansible.builtin.include_role:
name: elasticsearch
vars:
elasticsearch_version: 8.10.2
elasticsearch_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62333932303063376439386235313739336262613362303033396536326233366235616563623337
3563386563366661623539346161623265353636376637630a356131643361383236346434616536
39376566333961386464383061386365386532663237656161353233343965616261663166366463
3030616430653433360a643763383535376230633438386461353136666365636165636334323662
3961
- name: Install fulltextsearch app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ app:install {{ item }}"
register: _command_result
failed_when: "'Could not download app' in _command_result.stdout"
changed_when: "'already installed' not in _command_result.stdout"
retries: 3
delay: 2
loop:
- fulltextsearch
- fulltextsearch_elasticsearch
- files_fulltextsearch
- name: Configure fulltextsearch app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ {{ item.app }}:configure {{ item.value }}"
register: _command_result
failed_when: "'Invalid JSON' in _command_result.stdout"
changed_when: false
retries: 3
delay: 2
loop:
-
app: fulltextsearch
value: |
'{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-
app: fulltextsearch_elasticsearch
value: '{\"elastic_host\":\"http://elastic:{{ _elasticsearch_password }}@{{ _elasticsearch_hostname }}:{{ _elasticsearch_port }}\",\"elastic_index\":\"{{ application }}\"}'
-
app: files_fulltextsearch
value: '{\"files_pdf\":\"1\",\"files_office\":\"1\"}'
- name: Install oidc app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ app:install oidc_login"
register: _command_result
failed_when: "'Could not download app' in _command_result.stdout"
changed_when: "'already installed' not in _command_result.stdout"
retries: 3
delay: 2
- name: Configure oidc app
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ config:system:set {{ item.key }} {% if item.value | type_debug == 'bool' %}--type=boolean{% elif item.value | type_debug == 'int' %}--type=integer{% endif %} --value='{{ item.value }}'"
register: _command_result
failed_when: "'set to' not in _command_result.stdout"
changed_when: false
until: _command_result is success
retries: 3
delay: 2
loop: "{{ _nextcloud_oidc_config | dict2items }}"
vars:
_nextcloud_oidc_config:
allow_user_to_change_display_name: false
lost_password_link: "disabled"
oidc_login_provider_url: "https://authelia.{{ common_tld }}"
oidc_login_client_id: "{{ application }}"
oidc_login_client_secret: "{{ ldap_oidc_apps.nextcloud.secret }}"
oidc_login_auto_redirect: false
oidc_login_end_session_redirect: false
oidc_login_button_text: "Log in with Authelia"
oidc_login_hide_password_form: true
oidc_login_use_id_token: true
oidc_login_attributes id: "preferred_username"
oidc_login_attributes name: "name"
oidc_login_attributes mail: "email"
oidc_login_attributes groups: "groups"
oidc_login_default_group: "admin"
oidc_login_use_external_storage: false
oidc_login_scope: "openid profile email groups"
oidc_login_proxy_ldap: false
oidc_login_disable_registration: true
oidc_login_redir_fallback: false
oidc_login_tls_verify: true
oidc_create_groups: false
oidc_login_webdav_enabled: false
oidc_login_password_authentication: false
oidc_login_public_key_caching_time: 86400
oidc_login_min_time_between_jwks_requests: 10
oidc_login_well_known_caching_time: 86400
oidc_login_update_avatar: false
oidc_login_code_challenge_method: "S256"
- name: Install other apps
community.docker.docker_container_exec:
container: "{{ application }}"
user: www-data
command: "php occ app:install {{ item }}"
register: _command_result
failed_when: "'Could not download app' in _command_result.stdout"
changed_when: "'already installed' not in _command_result.stdout"
retries: 3
delay: 2
loop:
- calendar
- contacts
- tasks